Skip to main content Link Search Menu Expand Document (external link)

SameSite Wiki


Cookies-less XS Attacks

While cookies are one of the most prevalent forms of request authentication, they are not the only one[1]. SameSite cookies can protect those class of request forgery attacks that perform ambient HTTP request authentication with cookies. Accordingly, other forms of request authentication, such as HTTP authentication, client certificate authentication[2], or network-based authentication are not protected by SameSite cookies.


  1. X. Likaj, S. Khodayari, and G. Pellegrino, “Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks,” in RAID, 2021. Link

  2. A. Parsovs, “Practical Issues with TLS Client Certificate Authentication.” in Network and Distributed Systems Security Symposium, 2014. Link